Honeypot for phony waterworks gets hammered on Internet

An experiment in which a Trend Micro researcher set up two instances of an Internet-based simulation of an industrial-control system (ICS) for a nonexistent water-pump facility in rural Missouri found the simulated system was targeted 17 times over about four months in ways that would have been catastrophic if it had been a real waterworks operation.

An experiment in which a Trend Micro researcher set up two instances of an Internet-based simulation of an industrial-control system (ICS) for a nonexistent water-pump facility in rural Missouri found the simulated system was targeted 17 times over about four months in ways that would have been catastrophic if it had been a real waterworks operation.

The purpose of this "honeypot" ICS that mimicked a water-pump supervisory control and data acquisition (SCADA) network was to find out how frequent targeted attacks might be for those real-world SCADA systems that are reachable via the Internet, said threat researcher Kyle Wilhoit, who is presenting his findings today at the Black Hat Europe Conference (which features a host of intriguing sessions). Wilhoit - whose background includes working at real-world energy and water companies - says his honeypot setup closely resembles what's in actual use at companies today.

The existence of his ICS water-pump station mock-up, set up last November, was found by online attackers within a few days and the tampering attempts began. As time went by, there included 12 serious targeted attempts to shut down the water pump and five attempts to modify the pump processes -- all of which would have been successful if it had been a real water system. About one-third of the attacks came from China, 19% from the U.S. and 12% from Laos, with a variety of other countries, such as Russia and the Palestinian territories, the source of targeted attacks.

The honeypots, which are still in operation, each consist of a SCADA system and a server with salted documents intended to give attackers something to steal in the way of fake operational documents.

The first honeypot setup is a network based on physical hardware, including the Siemens Controller Simatic S7-1200 operated out of Wilhoit's St. Louis basement. The second honeypot is a virtualized version of it running in the Amazon EC2 cloud. Via the Google and Shodan search engines, attackers quickly identified the online existence of Wilhoit's Siemens programmable-logic controller and the fake rural Missouri water-pump company he'd created.

There were plenty of scans against the honeypot system, but the main targeted attacks, which were of most interest to Wilhoit, came in through vulnerable Web front ends and computer systems that had been deliberately misconfigured -- the type of mistakes common in energy and water companies today.

Attackers came back again and again to exploit vulnerabilities on the devices and attempt more. The experiment also made use of the malware honeypot called Dionaea, and Trend Micro is analyzing samples collected there.

The point of this project, Wilhoit emphasizes, is that in the age when there's concern about malware such as Stuxnet, Flame and more designed for cyber-espionage and cyber-sabotage, the reality is that attackers are looking for whatever critical-infrastructure pieces, such as SCADA systems, might be left exposed on the Internet. He adds no SCADA and ICS should be reachable in this way, but many likely are, and real-world attacks on them may be more prevalent than is generally known.